On February 15, 2026, premium outerwear brand Canada Goose suffered a cybersecurity incident affecting its corporate and digital environment. While the attack’s entry vector remains unknown, its nature and timing are consistent with an ongoing trend: compromised credentials harvested by an external offender quietly weaken a corporation’s identity perimeter long before an intrusion is detected.
Lunar’s telemetry around the canadagoose.com domain shows that valid credentials associated with the brand were compromised in the same month as the reported breach. That establishes a narrow but important window in which access brokers or other threat actors might have obtained fresh high‑value accounts that were connected to Canada Goose’s third-party portals.
Executive Snapshot
- Observation window: February 2026
- Distinct credential exposures associated with canadagoose.com: ~2
- Principal malware family: Vidar infostealer
- Endpoint profiles: Mixed Windows corporate and personal devices
- Pivotal services: Third-party portals (e.g., HR, partner or SaaS business systems)
While numbers of exposed credential sets are small, access to each could have unlocked multiple business-critical applications. That makes it a non-trivial identity-driven risk for an organization with a global footprint and complex third-party dependencies.
What Lunar Saw Around the Canada Goose Incident
In the weeks around the February 15 incident, Lunar found Vidar infostealer logs with credentials linked to canadagoose.com accounts. These logs involved browser-stored usernames and passwords, session cookies, and autofill records for third-party portals used in the course of work.
The exposure was concentrated in February 2026, suggesting that any credentials were likely still valid and in use at the time of the breach. That kind of closely-timed data is particularly troubling for defenders: instead of using long‑aged, potentially rotated passwords, cybercriminals could have access to live accounts with active sessions into SaaS portals that support Canada Goose’s operations, supply chain, or HR processes.
Even with only ~2 different exposed credential sets, the effect can be significant. A single compromised credential can often access multiple cloud services, including ticketing and collaboration tools, vendor or logistics systems. Indeed, a single Vidar infection on a mixed-use endpoint may lead to multiple entry points across an organization’s attack surface.
Infostealers and the Impact of Valid Accounts
Vidar is a well-known infostealer that quietly harvests data instead of visibly damaging a host. Once it’s executed, often through deceptive downloads, cracked software, or malicious attachments, Vidar pulls the following:
- Saved browser credentials
- Session cookies and tokens
- Autofill details such as email addresses and often internal URLs
This behavior directly supports how valid accounts are used as an intrusion method, with threat actors logging in using legitimate credentials, sometimes with the help of active session cookies. Security teams face a significant obstacle separating this activity from regular usage, as authentication flows and device fingerprints can mimic normal user access, particularly when coming from known user locations or devices.
In Canada Goose’s situation, the Vidar logs attributed to canadagoose.com targeted third-party portals, like HR platforms, partner or wholesale portals, or SaaS tools employed to manage e-commerce and operations. Although the systems exist outside the core network, they typically contain sensitive data, administrative tasks, or paths that could be misused to pivot further into the environment or to target downstream partners and customers.
A Plausible Attack Pattern
Lunar does not show that the specific observed Vidar logs were definitively used in the February 15 incident. But their presence matches a recurring pattern seen in many of today’s breaches, namely:
- Infection on a corporate or personal device: A user affiliated with Canada Goose interacts with a malicious file, website, or phishing content that executes Vidar on a Windows endpoint.
- Exfiltration of portal credentials: Vidar silently scrapes all browser-stored credentials and cookies, including third-party business portals tied to canadagoose.com, and forwards that data to its command-and-control infrastructure.
- Brokerage on underground markets: The logs are then packaged and offered for sale on illicit marketplaces, where access brokers or other groups screen for common corporate domains like canadagoose.com.
- Exploitation for unauthorized access: A threat actor purchases the logs and uses the valid credentials and cookies to access a target’s SaaS or portal ecosystem. Because the credentials are legitimate, early detection is very difficult.
This is part of a wider paradigm shift from exploit-centric intrusions into identity-centric attack tactics powered by infostealer telemetry.
Human Factors And The Personal Device Gap
Lunar’s observations indicate that Vidar infections associated with canadagoose.com come from a combination of corporate and personal Windows devices. This reflects the reality of modern employment, as employees often access business portals repeatedly from home laptops, dual‑use desktops, and other unmanaged endpoints.
When a user logs into a third‑party portal on a personal machine and that device becomes infected, the organization’s security team often has little or no visibility into the breach. But the browser on that device may contain credentials for:
- HR and payroll platforms
- Vendor or wholesale ordering systems
- Customer service or ticketing tools
- External collaboration or content platforms
This shadow IT and bring‑your‑own‑device model widens Canada Goose’s attack surface into environments where corporate controls like EDR, strict patching, and hardening may be absent. One Vidar infection in this context can expose credentials, giving adversaries a legitimate entry point into systems that support core business processes.
Defensive Takeaways for Identity-Driven Risk
The Canada Goose event and related Vidar activity highlights multiple practical actions CISOs and security teams should prioritize:
- Use phishing‑resistant MFA when possible: Move beyond SMS and simple push‑based authentication for high-value accounts, particularly those accessing sensitive third-party portals. Hardware keys and modern phishing‑resistant methods make stolen passwords and many session‑replay attempts far less useful.
- Continuously monitor for infostealer‑harvested credentials: Treat external exposure of your domains’ credentials as an active incident indicator, not just a compliance concern. Use platforms like Lunar to detect when a corporate domain appears in infostealer logs so you can respond before attackers do.
- Tighten session management for critical portals: Shorten session time periods and limit “remember me” and persistent login choices for sensitive systems. Reducing browser session duration and scope decreases the value of stolen cookies and tokens.
- Set clear policies on unmanaged devices: Ensure conditions on personal and unmanaged devices that restrict or limit access to critical portals. Where outright blocking is impractical, run extra risk‑based checks and monitoring on sessions from those devices.
By pairing robust identity controls and outside monitoring of infostealer‑driven exposure, organizations like Canada Goose can eliminate the window of uncertainty between credential theft and exploitation, preventing compromised accounts from becoming the starting point for a large-scale compromise.
Disclaimer
This report is based on telemetry observed by Lunar and publicly available information. The findings presented are provided for informational purposes only. Lunar does not claim direct attribution, nor does it assert that the observed credential exposures were the definitive cause of the reported security incident. This analysis represents a correlation of temporal data points and does not constitute a “smoking gun” or identify “patient zero.”
Previous post